Hey,

In 1.x i had an iptables rules on the host machine to filter incoming and outgoing connections to my containers and kvm guests via the FORWARD table. But after 2.x upgrade this scheme is not working anymore. even if i just write i add default action to DROP in the FORWARD table, it still allows the connections.

How can i filter all the connections from the host now? do i really have to set up iptables on every single guest os?

Maybe you need to change settings in /etc/sysctl.d/pve.conf

Thank You dietmar,
You've made my day :).
Why do you guys decided to turn it off by default?
What were default settings for those settings in 1.9? Just to be sure, everything is working as expected to.
and is there a manual so i could read about all changes in 2.0 ? :)

Why do you guys decided to turn it off by default?


It is considered a security risk.

FWIW:

In ProxmoxVE v1.9 there is no /etc/sysctl.d/pve.conf file

There is only a /etc/sysctl.d/vzctl.conf file that has the following:


# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled

net.ipv4.ip_forward = 1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
#net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

Could you tell me more about this risk? why and what kind of the risk?

up please